Thingiverse, a 3D printing business unit, who has its hands in various kinds of digital designs and printing recently became the victim of a massive data breach, leaking almost 36 GB of unique email addresses of the customers along with some personal and uniquely identifiable information.
The leak was confirmed by Have I Been Pwned creator Troy Hunt in a statement to Information Security Media Group. The breach was first discovered on October 1st by Twitter user pompompurin, as a result of a “misconfigured S3 bucket” from Thingiverse’s backup data.
The Thingiverse team said in a statement that the data breach impacted the real information of fewer than 500 users. According to the company, the compromised data mostly includes non-production, non-sensitive data which mostly includes encrypted data and testing data.
Reportedly, the breach happened because of some internal human error. Even though the company didn’t witness any other suspicious activities, the company has notified its users and has advised them to be aware of suspicious activities in the future.
While there’s no sign that plain text passwords have been leaked, Have I Been Pwned tweeted about the presence of “unsalted SHA-1 or bcrypt password hashes” in the data. Salt is random data added to the hashing process (a one-way transformation) to increase complexity. While hashed passwords are still unreadable without considerable effort, they’re easier to decrypt without the presence of salt. (BollyInside)